Sunday, March 16, 2014

From time to time I get the craving to race around the desert at high speed. There is just something about putting on the body armor and helmet and racing for hundreds of miles around the desert at break-neck speed with my buddies. Temple Mountain is our most common destination.

Why do I like it so much? Because it is the exact opposite of my 'regular' life. Two days in the dirt and I am good for two months. Really, it is the perfect weekend. It relieves all the stresses of modern, monitored life. It goes down like this.

Location and Routes
We base camp at Temple Mountain where there are good bathroom facilities and there is plenty of space to spread out. Temple Mountain has great trails immediately around the base of the mountain. The area has a very old, cool mine and related ruins and junk. Temple Mountain was formerly the big supplier of uranium for Uncle Sam's nukes. Now it is BLM land loaded with old dirt roads and trails that lead to hundreds of the old mines. And no cell signals - bonus!

This is one of the larger abandoned mines in the area.

Temple Mountain to Muddy River / Caneville
This is a good ride. Straight from camp, you ride on the paved road about 14 miles to Little Wild Horse Canyon where you hit dirt and ride a really fun, fast sandy road through canyons and through super cool landscapes to the Muddy River. The only reason to cross the Muddy is to get to Caneville (made famous by Nitro Circus) where you can ride what is essentially God's skate park for dirt bikes. Think 200 foot-high hard sand half-pipes and you get the idea.

I *believe* off road vehicles are allowed on the highway between Temple Mtn and Little Wild Horse. At least that is what I keep telling myself…

Back of the Swell
This is a really fun ride. The first half is wide enough for Jeeps, but then it gets narrow and much more technical. Don't be intimated by the first climb on the trail, which has a 100 foot drop on one side, is steep, and has lots of rocks. If you get through that you can easily enjoy at least the first half of the trail. Keep going and you'll enjoy a very technical, but doable ride. It ends up at Hidden Splendor Mine, which sports a gravel airstrip in the middle of nowhere. Really…an airstrip in the middle of nowhere! Surreal.

Monday, March 10, 2014

Scientists begin experiments with a hypothesis. Researchers
begin their papers with a thesis statement. It is similarly useful to begin a
threat analysis with a threat statement. The threat statement establishes the
scope of the threat and guides the analyst in his threat research. Consider
this threat statement, “Unauthorized disclosure of sensitive data.” Partially
mapping out the scope of this statement, it looks something like this diagram
shown below.

This scope of analysis is a bit large. Consider how large it
would be for an enterprise with sensitive information spread across hundreds of
systems! However, it is not unapproachable. Every journey, however long, begins
with a single step. In this case, that step is to define the threat into a
series of more narrow threat statements, such as this one, “Unauthorized
disclosure of sensitive data through theft or loss of off-site stored data
backup tape by outsider.” The map of this statement is much narrower.

This threat statement, unauthorized disclosure of sensitive
data through theft of off-site stored data backup tape by outsiders, is
narrowly scoped. It identifies the threat agent (outsider); it specifies the
assets in question (data backup tapes; and the method through which the threat
may be realized (theft and loss). This narrowly scoped threat analysis can be
completed quickly and compared with other related threats analyses for
decision-making.

Analyzing narrowly defined threats does not preclude solving
larger scope threat questions such as the first one stated above, unauthorized
disclosure of sensitive data.The
solution is necessary to protect sensitive information assets.However, the answer to these broad scope
threats is the sum of the solutions to the more narrowly scoped threat
statements.

A well-bounded threat
statement consists of four key elements: the asset category that is the
focus of the threat agent’s objective, the end state condition the threat agent
seeks to achieve within the context of the asset, the threat agent’s privilege
level as it relates to the target, and the compromise approach the agent will
use to realize the threat.

Target Asset / Asset Category

The target asset is the focus of the threat agent’s
objective. It is the system or category
of systems the adversary seeks to compromise.
By restricting the threat statement to a specific asset or asset category,
we establish boundaries for analysis of attack methods and related controls. While the target may be a specific asset,
modeling an asset category allows the analysis to be reused across multiple
assets.

The end state is the condition the threat agent seeks to
achieve within the context of the target asset.
It is his goal as it relates to the system he is attacking. Including the end state in the threat
statement narrows the analysis on attack vectors used to achieve the end
state.

Some other end states include application administrator
access, network denial of service, unauthorized operating system access, remote
system control, physical possession of storage media, and access to internal
network communications.

The threat statement should specify the threat agent’s
privilege level as it relates to the target system. The types of attack methods
available to a threat agent and the complexity and risk exposure of executing
the attack methods are partially dependent on the agent and his privilege level
as it relates to the target system. For example, physical compromise of a
system within a secured data center is easier for an administrator with
authorized access to the data center than for an outsider who has no data
center access privileges.

Other privilege levels include an outsider with no access to
non-public target resources, an insider who has access to the target system
owner’s private network or physical facilities but no local area network or
physical access to the target system, and a privileged insider who has direct
physical or local network access to the target system.

The compromise approach specifies the category of methods
the threat agent will use to realize the threat. The compromise approach in our
example threat statement is theft of authentication credentials. This limits the scope of attack methods to
those such as horizontal credential guessing, vertical credential guessing,
keystroke logging, phishing, social engineering, and network communications intercept
through CAM table flooding or ARP spoofing.

Cyber warfare encompasses nation-state activities taken
against enemy computer systems and networks with the intent of controlling,
compromising, or disabling function through electronic methods. The potential
impact of cyber warfare is perhaps best described by an unnamed Chinese general
who stated in 1996, “We can make the enemy's command centers not work by
changing their data system. We can cause the enemy's headquarters to make
incorrect judgment(s) by sending disinformation. We can dominate the enemy's
banking system and even its entire social order.”[1]

In 2007, according to a Gartner report, thirty nations
were developing cyber warfare capabilities and predicted that 30% of all
nations will have cyber warfare capabilities by 2012.[2]The United States is leading the world in
investment in cyber warfare infrastructure.In 2006 the U.S. announced the creation of the Air Force Cyberspace
Command.During the announcement of the
division, Secretary of the Air Force Michael Wynne said “The aim is to develop
a major command that stands alongside Air Force Space Command and Air Combat
Command as the provider of forces that the President, combatant commander and
the American people can rely on for preserving the freedom of access and
commerce, in air, space, and now cyberspace.”[3]

Cyber Warheads – Stuxnet

Until early 2010, what a cyber weapon would actually look
like, when it would be first used, and against whom and what it would be
launched against remained in the realm of conjecture. On June 17, 2010, the
Belarus-based security firm VirusBlokAda Ltd discovered a new piece of malware
resident on an Iranian-based client’s system that made cyber warfare manifest.
Stuxnet isn’t just a one-off piece of malware. It is a framework for development
of future cyber-warheads.

In short, the function of
Stuxnet is to damage the Iranian Natanz nuclear fuel enrichment plant and,
possibly, the Iranian Bushehr nuclear power plant. Nuclear fuel enrichment
plants use centrifuges to produce low enriched uranium. Stuxnet reprograms the
Siemens industrial control system used at the Natanz enrichment facility to
cause the IR-1 centrifuges to spin at rates and in patterns harmful to the
centrifuges. Stuxnet also shutdown related warning and safety controls that
would alert plant operators of the odd centrifuge behavior.

While Stuxnet infections did
not remain isolated to Iran, data collected by Symantec through its monitoring
infrastructure revealed that Iran hosted 58% of the total infected systems. Indonesia
and India followed distantly with 18% and 10% of the total infected hosts.[4]
And, it seems to have achieved at least some of its intended effect. In late
2009 to early 2010 Iran replaced about 1,000 IR-1 centrifuges at their Natanz
facility.On November 23, 2010, the
leader of Iran’s Atomic Energy Organization, Ali Akbar Salehi, confirmed
reports of cyber attacks against Iran’s nuclear facilities: “One year and
several months ago, Westerners sent a virus to [our] country’s nuclear sites.”
On November 29, 2010, Iranian President Mohmoud Ahmadenejad confirmed the
reports in a news conference. “They succeeded in creating problems for a
limited number of our centrifuges with the software they had installed in
electronic parts.”[5]

Natanz Hijacking Requirement

Stuxnet Solution

The location of the Natanz industrial control systems is not known, so the software would have to crawl systems autonomously and auto detect if it was on one of the control systems.

Stuxnet contains four zero-day vulnerabilities for spreading through network communications and through USB drives and for escalating local privileges. Additionally, it copies itself to remote computers through network shares. Once on a system, Stuxnet examines its host to determine if it in fact is a system used to control IR-1 centrifuges known to be in use at Natanz.

The industrial control systems (ICS) are not connected to any network that is connected to the Internet, so the malware has to jump the network air gap.

The malware has to operate undetected for a long period of time to prevent detection before achieving its objectives.

Stuxnet employs advanced rootkit techniques and malicious binary driver files are signed using stolen valid digital certificates to avoid detection. It also contains features to bypass security products.

The malware would need to be able to update without having to call back to a command and control server.

Stuxnet-infected systems update each other using a peer-to-peer mechanism. Infected systems search for each other on their LAN. When one Stuxnet install detects another, they exchange version information. If the versions are not the same, the older instance is updated from the newer one.

The IR-1 centrifuge attack code would need to work against the exact configuration of the programmable logic controllers used at Natanz.

Stuxnet contains the first-ever programmable logic controller rootkit that hijacks the control system and disables alarms and modifies alerting messages to remain undetected by plant operators.

Compromising the industrial
control systems of the Natanz fuel enrichment processing facilities was no
trivial task. Once released, the malware had to autonomously achieve some
seriously daunting tasks. Ralph Langner, the pre-eminent
Stuxnet expert, summed up Stuxnet best. “Stuxnet is like the arrival of an F-35
fighter jet on a World War I battlefield. The technology is that much superior
to anything ever seen before, and to what was assumed possible.”[6]

With Stuxnet out of the bag,
Governments around the world are scrambling to respond; assessing the exposure
of their own critical infrastructure to Stuxnet-like malware and, no doubt,
developing their own cyber warheads for use against all sorts of industrial
control systems.

Targets

One of the prime target of cyber weaponry is critical
infrastructure controlled through electronic Supervisory Control and Data
Acquisition (SCADA) systems. The SCADA systems allow remote monitoring and
control of a broad deployment of physical world infrastructure. In the hands of
asset owners and operators SCADA systems greatly increase operational
efficiencies and capabilities. In the wrong hands SCADA systems could disrupt or
corrupt delivery of essential services. Consider how SCADA systems are used
across a few industries:

Water
– Water Works organizations use SCADA systems to monitor water quality, flow,
pressure, and operational status. They also use SCADA systems to control water
production, distribution, and blending. Back in 2008, a California municipality published details of their SCADA water systems on its web site, going as far as showing a
screenshot of their SCADA Human-Machine Interface (HMI).Probably not a great idea.

Power
Generation – Power generators use SCADA systems to monitor boiler
temperatures, turbine performance, and environmental conditions and to control
power generation equipment in real-time.

Power
Distribution – Power distributors use SCADA systems to manage power supply
into their distribution network, manage flow, and monitor supply and demand.

As most SCADA systems are not directly Internet-accessible,
the likely SCADA system compromise path is to compromise a system that has
access to the network on which the SCADA system resides and use that as a
staging point for the attack against the SCADA system. With advanced malware
kits that provide hackers persistent, stealthy remote control this possibility
is very real.

[1]
Cyber Threats and the US Economy, Statement for the Record Before the Joint
Economic Committee on Cyber Threats and the US Economy, John A. Serabian, Jr.,
Information Operations Issue Manager, CIA, February 23, 2000.